===============================================================================
Security Advisory CERT-NL
===============================================================================
Author/Source : CERT-NL (Teun Nijssen) Index : S-93-20
Distribution : World Page : 1
Classification: External Version: Final
Subject : Internet Security Scanner Date : 01-Oct-93
==============================================================================
CERT-NL attends its constituency on the public release of the Internet
Security Scanner, posted to comp.sources.misc on 29-Sep-1993. Within hours of
its appearance on Netnews, Internet domains were being scanned for weaknesses
by potential hackers.
Site Security Contacts not able to retrieve the sources of this tool, can ask
cert-nl@surfnet.nl for copies.
The following text is taken verbatim from the advisory of CIAC one
of CERT-NL's sister organisations in the USA.
_________________________________________________________________________
PROBLEM: Automated attacks on networked computers.
PLATFORM: All systems supporting TCP/IP networking.
DAMAGE: Unauthorized access to information and computer resources.
SOLUTION: Examine machines for vulnerabilities detailed below and apply
fixes as needed.
__________________________________________________________________________
Critical Information about Automated Network Scanning Software
CIAC has learned that software allowing automated scanning of networked
computers for security vulnerabilities was recently made publicly
available on the Internet. The software package, known as ISS or Internet
Security Scanner, will interrogate all computers within a specified IP
address range, determining the security posture of each with respect to
several common system vulnerabilities. The software was designed as a
security tool for system and network administrators. However, given its
wide distribution and ability to scan remote networks, CIAC feels that it
is likely ISS will also be used to locate vulnerable hosts for malicious
reasons.
While none of the vulnerabilities ISS checks for are new, their
aggregation into a widely available automated tool represents a higher
level of threat to networked machines. CIAC has analyzed the operation of
the program and strongly recommends that administrators take this
opportunity to re-examine systems for the vulnerabilities described below.
Also detailed below are available security tools that may assist in the
detection and prevention of malicious use of ISS. Finally, common
symptoms of an ISS attack are outlined to allow detection of malicious
use.
ISS Vulnerabilities
-------------------
The following vulnerabilities are tested for by the ISS tool.
Administrators should verify the state of their systems and perform
corrective actions as indicated.
Default Accounts The accounts "guest" and "bbs", if they exist, should
have non-trivial passwords. If login access to these
accounts is not needed, they should be disabled by
placing a "*" in the password field and the string
"/bin/false" in the shell field in /etc/passwd. See
the system manual entry for "passwd" for more
information on changing passwords and disabling
accounts.
For example, the /etc/passwd entry for a disabled guest
account should resemble the following:
guest:*:2311:50:Guest User:/home/guest:/bin/false
lp Account The account "lp", if it exists, should not allow logins.
It should be disabled by placing a "*" in the password
field and the string "/bin/false" in the shell field in
/etc/passwd.
Decode Alias Mail aliases for decode and uudecode should be disabled
on UNIX systems. If the file /etc/aliases contains
entries for these programs, they should be disabled by
placing a "#" at the beginning of the line and then
executing the command "newaliases". Consult the manual
page for "aliases" for more information on UNIX mail
aliases.
A disabled decode alias should appear as follows:
# decode: "|/usr/bin/uudecode"
Sendmail The sendmail commands "wiz" and "debug" should be
disabled. This may be verified by executing the
following commands:
% telnet hostname 25
220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT
wiz
You wascal wabbit! Wandering wizards won't win!
(or 500 Command unrecognized)
quit
% telnet hostname 25
220 host Sendmail 5.65 ready at Wed, 29 Sep 93 20:28:46 PDT
debug
500 Command unrecognized
quit
If the "wiz" command returns "Please pass, oh mighty
wizard", your system is vulnerable to attack. The
command should be disabled by adding a line to the
sendmail.cf configuration file containing the string:
OW*
If the "debug" command responds with the string
"200 Debug set", you should immediately obtain a newer
version of sendmail software from your vendor.
Anonymous FTP Anonymous FTP allows users without accounts to have
restricted access to certain directories on the system.
The availability of anonymous FTP on a given system may
be determined by executing the following commands:
% ftp hostname
Connected to hostname.
220 host FTP server ready.
Name (localhost:jdoe): anonymous
530 User anonymous unknown.
Login failed.
The above results indicate that anonymous FTP is not
enabled. If the system instead replies with the
string "331 Guest login ok" and then prompts for a
password, anonymous FTP access is enabled.
The configuration of systems allowing anonymous FTP
should be checked carefully, as improperly configured
FTP servers are frequently attacked. Refer to CIAC
Bulletin D-19 for more information.
NIS SunOS 4.x machines using NIS are vulnerable unless the
patch 100482 has been installed. See CIAC Bulletin
C-25 for more information regarding this patch.
NFS Filesystems exported under NFS should be mountable only
by a restricted set of hosts. The UNIX "showmount"
command will display the filesystems exported by a given
host:
% /usr/etc/showmount -e hostname
export list for hostname:
/usr hosta:hostb:hostc
/usr/local (everyone)
The above output indicates that this NFS server is
exporting two partitions: /usr, which can be mounted by
hosta, hostb, and hostc; and /usr/local which can be
mounted by anyone. In this case, access to the
/usr/local partition should be restricted. Consult the
system manual entry for "exports" or "NFS" for more
information.
rusers The UNIX rusers command displays information about
accounts currently active on a remote system. This may
provide an attacker with account names or other
information useful in mounting an attack. To check for
the availability of rusers information on a particular
machine, execute the following command:
% rusers -l hostname
hostname: RPC: Program not registered
If the above example had instead generated a list of
user names and login information, a rusers server is
running on the host. The server may be disabled by
placing a "#" at the beginning of the appropriate line
in the file /etc/inetd.conf and then sending the SIGHUP
signal to the inetd process. For example, a disabled
rusers entry might appear as follows:
#rusersd/2 dgram rpc/udp wait root /usr/etc/rusersd rusersd
rexd The UNIX remote execution server rexd provides only
minimal authentication and is easily subverted. It
should be disabled by placing a "#" at the beginning of
the rexd line in the file /etc/inetd.conf and then
sending the SIGHUP signal to the inetd process. The
disabled entry should resemble the following:
#rexd/1 stream rpc/tcp wait root /usr/etc/rexd rexd
Available Tools
---------------
There are several available security tools that may be used to prevent or
detect malicious use of ISS. They include the following:
SPI SPI, the Security Profile Inspector, will detect the
system vulnerabilities described above, as well as many
others. U.S. Government agencies interested in
obtaining SPI should send E-mail to spi@cheetah.llnl.gov
or call (510) 422-3881 for more information.
COPS The COPS security tool will also detect the
vulnerabilities described above. It is available via
anonymous FTP from ftp.cert.org in the directory
/pub/tools/cops/1.04.
ISS Running ISS on your systems will provide you with the
same information an attacker would obtain, allowing you
to correct vulnerabilities before they can be exploited.
Note that the current version of the software is known
to function poorly on some operating systems. If you
should have difficulty using the software, please contact
CIAC for assistance. ISS may be obtained via anonymous
FTP from ftp.uu.net in the directory
/usenet/comp.sources.misc/volume39/iss.
TCP Wrappers Access to most UNIX network services can be more closely
controlled using software known as a TCP wrapper. The
wrapper provides additional access control and flexible
logging features that may assist in both the prevention
and detection of network attacks. This software is
available via anonymous FTP from ftp.win.tue.nl in the
file /pub/security/tcp_wrappers_6.0.shar.Z
Detecting an ISS Attack
-----------------------
Given the wide distribution of the ISS tool, CIAC feels that remote
attacks are likely to occur. Such attacks can cause system warnings to be
generated that may prove useful in tracking down the source of the attack.
The most probable indicator of an ISS attack is a mail message sent to
"postmaster" on the scanned system similar to the following:
From: Mailer-Daemon@hostname (Mail Delivery Subsystem)
Subject: Returned mail: Unable to deliver mail
Message-Id: <9309291633.AB04591@>
To: Postmaster@hostname
----- Transcript of session follows -----
<<< VRFY guest
550 guest... User unknown
<<< VRFY decode
550 decode... User unknown
<<< VRFY bbs
550 bbs... User unknown
<<< VRFY lp
550 lp... User unknown
<<< VRFY uudecode
550 uudecode... User unknown
<<< wiz
500 Command unrecognized
<<< debug
500 Command unrecognized
421 Lost input channel to remote.machine
----- No message was collected -----
If you should receive such a message, it is likely that your machine and
others on your network have been scanned for vulnerabilities. You should
immediately contact your computer security officer for assistance
in assessing the damage and taking corrective action.
---------------------------------------------------------------------------
CERT-NL thanks CIAC for sharing this information with its FIRST partners
and advises its constituency to check their own domains for weaknesses
with this tools.
==============================================================================
CERT-NL is the Computer Emergency Response Team, located in The
Netherlands. CERT-NL is a Full Member of the Forum of Incident Response
and Security Teams (FIRST). The constituency of CERT-NL are the SURFnet
connected institutions.
Past CERT-NL Security Bulletins and other CERT-NL related material can
be found on the anonymous FTP server of SURFnet bv:
"ftp.nic.surfnet.nl" [192.87.46.3], in the directory
"surfnet/net-security/cert-nl/docs/bulletin". This information is also
available using email. Send an email saying "help" to
"mailserv@nic.surfnet.nl".
In case of computer or network security problems please contact CERT-NL
or the CERT of your own constituency. Please be aware of the fact that
we are one (when DST is in effect two) hour(s) ahead of Universal Time
Coordinated (i.e. UTC+0100 (UTC+0200)).
Email: cert-nl@surfnet.nl
Phone: +31 30 310290
Fax: +31 30 340903
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
A 7*24h phonenumber is available to SURFnet SSC's and FIRST members on request
=============================================================================